The Cloud Security Alliance has teamed up with European security agency ENISA and Darmstadt university to release a new step-by-step guide for governments looking to securely deploy cloud computing projects.

The Security Framework for Governmental Clouds builds on two previous ENISA studies and analysis of four government cloud initiatives in the UK, Spain, Greece and Estonia, to provide common best practice guidance for European member states.

It covers every step, from pre-procurement right through to what is needed when exiting a cloud contract – all with security and privacy in mind.

The framework is split into four phases, nine security 'activities' and 14 steps government IT managers can use to plan their journey to the cloud.

It can be used both as a pre-procurement guide and throughout the cloud adoption lifecycle, structured according to the 'Plan-Do-Check-Act' security cycle.

Concerns have been raised in the past that government cloud projects are simply not getting the buy-in they need from stakeholders.

A study of 300 UK civil servants last year found that two-thirds had knowledge of the government’s G-Cloud initiative while just 38% said they’d used it to procure cloud services.

The CSA/ENISA report itself echoed such concerns:

"Despite considerable efforts from the EC, ENISA and other international organisations and market actors (e.g. CSP’s) the level of adoption of Gov Clouds is still low. Some EU member states have already defined a cloud strategy, some others show a tactical or opportunistic adoption of cloud services, but very few (actually only UK and Spain) have defined and implemented a national wide cloud strategy. This security framework will be one more reason to support the systematic adoption of cloud security strategies and actual governmental cloud deployment.”

Spanish security firm Panda Security recorded an average of 200,000 new malware strains every day in 2014 – more than double the figure of the previous year.

The vendor’s PandaLabs research division claimed to have stopped and blocked 75 million samples last year, more than twice the 2013 figure of 30 million.

What’s more, the firm said that it had come across 220 million pieces of malware since it began detecting malicious code, meaning that the huge figure blocked in 2014 accounts for a third (34%) of all malware ever written.

Unsurprisingly trojans came out as the most common malware, accounting for 70% of all new malware created, followed by viruses (12.3%), other malware (10%), worms (6%), and adware/spyware (3%).

Trojans also accounted for more infections than any other type of malware, at 65%, with infamous ransomware CryptoLocker branded one of the “nastiest” by PandaLabs technical director, Luis Corrons.

“We are experiencing a significantly greater amount of malware targeted across a larger number of devices. And despite the numbers of infected devices globally dropping overall, 2014 saw some of the worst data breaches ever, hackers disassembling entire corporate infrastructures and indiscriminate attacks on the entire online community,” he told Infosecurity.

“Cyber-criminals are showing themselves to be more resourceful and active than ever therefore companies and users must take a more active stance, maintaining awareness of security issues and employing all prudent protection solutions.”

It appears as if users in Europe are among the best in the world for taking such steps.

This region had the lowest infection rate globally, with nine countries ranked among the 10 least infected.

The top four consisted of: Sweden (20%), Norway (20%), Finland (21%) and the UK (22%).

At the other end of the scale, China remained the country with the highest global infection rate, at a whopping 49%, followed by Ecuador (42%) and Turkey (41.5%).

Despite all the doom and gloom, however, the average global infection rate of 30.4% stood significantly lower than the 2013 figure, according to Panda Security.

Semiconductor equipment maker ASML has played down a recently discovered cyber attack on its systems, claiming that no ‘valuable’ files were stolen.

The Dutch firm is the world's largest maker of photolithography machines, which are vital to the fabrication of integrated circuits.

It said in a brief statement on Sunday that it recently discovered “unauthorized access to a limited portion of its IT systems” but that it took immediate steps to contain the breach.

The firm continued:

“The time between the break-in and the discovery by ASML IT staff was short. At this time it appears that only a limited amount of data has been accessed. ASML has not found any evidence that valuable files, either from ASML or our customers and suppliers, have been compromised. We cannot be certain about the identity of the hackers.

ASML, like any other leading organization, is subject to cybersecurity attacks. We take knowledge protection very seriously and constantly work to improve our defenses against hacking attempts and our detection capabilities.

We will not provide further information about this event unless there is a significant development.”

ASML makes highly specialized and complex technology; in fact, some estimates claim that the lithographic process accounts for around a third of the cost of chip manufacturing.

This obviously makes it an attractive target for industrial espionage, although the firm has declined so far to speculate on the motive for the attack.

There’s also a possibility that hackers were attempting a “stepping stone” attack targeting one of its major chip partners.

Local reports in the Netherlands have claimed that the “Chinese authorities” were responsible, although definitive attribution in these cases is usually tricky.

Even if the computers used in the attack were indeed based in China, it’s possible they were remotely controlled from another country to throw investigators off the scent.

New stats from Panda Security released this week, for example, claim that China has the most malware infections of any country globally with an astonishingly high rate of 49%.

Critics of Beijing’s state-sponsored hacking will point out, of course, that these stats provide plausible deniability for the country’s real cyber operatives, like the notorious PLA Units 61486 and 61398.

Consensus on this complicated topic unsurprisingly was scarce. However, several panelists did agree on one factor: simplicity and consumer trust will be the most influential drivers of change.

Payfone’s Rodger Desai said that, “Every cool thing you can do on your phone relies on consumers trusting that when they interact with these things that they’re safe.”

Mobile wallets, he said, are a key example of this – a pertinent point given that Samsung has used MWC to unveil its Samsung Pay service. But as these payment systems are rolled out, “the front doors are very weak,” Desai said. “If we don’t get that right as an industry it will erode consumer trust.”

These points were echoed and expanded on by Telenor’s Sven Størmer Thaulow. He argued that the debate about mobile identity and authentication solutions must not just be focused on the US and EMA markets, given the significance of the rising tide of mobile users taking up the technology for the first time in the developing world.

“Quite a few people in the next one billion to use the internet will be illiterate; they won’t know what a password is. The authentication service that cracks simplicity and gains the trust of end-users will be the one that wins. Delivering simplicity and value is key.”

Another issue debated by the panel was the security efficacy of a password and phone number combination, commonly combined in two-factor authentication solutions.

Stacy Stubblefield, Telesign co-founder, argued the case for two-factor, saying “We believe the mobile phone number is the best identifier online.”

She added that, to stop fraudsters, users should make sure they have a phone number tied to every account: “A user name and password being used doesn’t mean that that person is the correct user. When you tie a number to the account you can verify that that person is the correct person and a real person, not just a bot.”

Other panelists expressed some skepticism about two-factor. Desai said: “The challenge is that there are a tremendous amount of signals in the network. You need to use intelligence. You can have a token for an individual but then you can look at the signals to find out if the right person is behind that signal.”

As ever, one of the only points of agreement was that no technology is hack-proof. “A fraudster can port a landline onto a prepaid SIM card,” said Desai, proving that a call claiming to be from a certain number is not always 100% trustworthy.

Beyond the attempt to implement technologies that have more resistance to tampering or spoofing, though, Stubblefield still argued that two-factor authentication has a key role to play in raising the threshold of complexity for fraudsters to combat.

If you turn on two-factor, she said, you are far less of a target because you are more protected than the masses. “Fraud is a business – you want to get as much money as possible and leave as quickly as you can,” she added, saying that raising the complexity even slightly can be enough to deter criminal attacks of this kind.

But while a global standard for authentication could one day be achievable, the panel suggested, a global standard for personal, electronic identity seems much farther off.

With ID cards and electronic identity services in place across some countries but strongly resisted in others, any kind of global system of user identification will not be quickly achieved.

Nonetheless, the concept does provide an opportunity for the mobile industry, panelist Chris Ferguson of the UK Cabinet Office said. He argued that “It is going to be industry and government that drive interoperability” in terms of arriving at electronic identity solutions that meet consumer demands and operate within privacy frameworks.

“A standards based approach could take years,” he added. “We’re keen on trying to push for a market approach.”

]]>

Mon, 02 Mar 2015 18:00:00 GMThttp://www.infosecurity-magazine.com/news/mwc-2015-consumer-trust-key/#MWC15: Complexity of IoT may slow adoption, warns AVGhttp://www.infosecurity-magazine.com/news/mwc15-complexity-of-iot/
Complexity is the major challenge that stands in the way of wide-scale adoption of internet of things devices in the home, Yuval Ben-Itzhak, CTO at AVG Technologies, told Infosecurity at Mobile World Congress 2015.#MWC15: Complexity of IoT may slow adoption, warns AVG

“As more and more people are moving to IoT services, one of the challenges we’re seeing for consumers is ‘How do I deal with all of that?’ Many users hardly manage to configure their WiFi properly – we see a lot of security issues with people just leaving it as it is. Now imagine that problem with the complexity of the IoT. It’s a big challenge. It may actually slow down the adoption of IoT in the home.”

AVG used Mobile World Congress to announce a round of new solutions in-keeping with its reputation as one of the most widely-used consumer security providers. Ben-Itzhak gave Infosecurity a preview of one of these, the new version of its Zen mobile security application.

The app takes a family focus, providing an all-in-one-place overview of a number of pieces of information provided by partner apps and wearables. These include phone controls and location services, for example to let parents keep track of their children.

Version two of AVG Zen will also offer information to users about core services from mobile operators, such as when they are nearing their data capacity.

Ben-Ihtzak said that this addresses a core security issue faced by many families: “How to provide the simplicity to the family to deal with a range of smartphones and tablets – and now more even more connected services”

He added that, “People are busy with their lives already. We are looking at the device, the data and the people. For people it’s not just about the device, it’s about, ‘Did you turn the alarm on at home? Has something happened with a credit card? Did I authorize that?’”

To help mitigate the problem of “overflowing notifications” that IoT brings, the aim for AVG now is to “take all the complexity out and deliver one single, meaningful notification. It could be on a wearable or phone, and it should give you the option to simply ‘fix it’.”

]]>Mon, 02 Mar 2015 16:35:00 GMThttp://www.infosecurity-magazine.com/news/mwc15-complexity-of-iot/#MWC15: Personal Privacy Has Become an Enterprise Issue, says Silent Circlehttp://www.infosecurity-magazine.com/news/mwc15-personal-privacy-an/
Silent Circle has unveiled a new ‘enterprise privacy ecosystem’ that it describes as the “world’s first.”#MWC15: Personal Privacy Has Become an Enterprise Issue, says Silent Circle

Silent Circle has unveiled a new ‘enterprise privacy ecosystem’ that it describes as the “world’s first.” The company, known for its encrypted, privacy-focused Blackphone product, made the announcement at Mobile World Congress 2015.

A panel of senior Silent Circle officials told the assembled press in Barcelona that the enterprise solution would include two new hardware products, Blackphone 2 and the Blackphone+ tablet, and also new apps and software.

“Enterprise privacy is the collective privacy of all the individuals in the enterprise,” said Phil Zimmerman, Silent Circle co-founder and PGP guru. “Personal privacy has become an enterprise issue.

He added, regarding the string of major breaches that have lit up the headlines in the last year: “You couldn’t write fiction that was more catastrophic than some of the things we’ve seen.”

The new software unveiled by the company includes PrivatOS, Silent Suite and Silent Meeting. The latter is a conference call solution for tablets that Mike Janke, the company’s co-founder and chairman described as “challenging the $20bn conference call industry.”

The software, with its visual interface, does away with traditional conference call features such as dial-in codes.

Jon Callas, Silent Circle’s CTO and former Apple man said of Silent Meeting: “The users don’t have to sweat the security. It uses our tech, our network. The calls are encrypted – this is true if you have it on a Blackphone tablet, an Android tablet or an iOS tablet. You don’t have to ask who just called in, you don’t have all of the annoyances you would have in normal audio conferencing.”

Meanwhile, the newest version of the company’s PrivatOS Android-based mobile operating system includes new functionality, dubbed Spaces, which offers virtualization controls enabling the separation of one OS into different ‘containers’, so that work, private and family strands can be separated out.

“You get in effect separate phones on one phone,” said Callas. “It’s a virtualization system that allows you to have multiple phones that all run separately.”

The company made its objective very clear at MWC, as it sets out its stall in an attempt to differentiate itself from other smartphone providers with its privacy-centric USP.

“You will not see curved screens. You will not see selfie sticks,” joked Janke. “Our focus is security and privacy.”

He added: “We take it very seriously – people’s lives area actually in danger. Never before have private citizens in the world been under such barrage from governments hacking away at our privacy. Never has businesses’ intellectual property been under such assault as it has today.”

Entrust man Bill Conner, now president and CEO of Silent Circle, warned the enterprise landscape that, “Your business brand is about trust. The cost of that trust as a brand value now has a dollar figure.”

The company’s Blackphone products are built on the ZRTP mobile architecture. Zimmerman described Blackphone’s technology, “A protocol that doesn’t rely on a public key infrastructure. We don’t rely on a top-down centralized trust model, like with certificate authorities.”

Blackphone 2 will be available this July, Silent Circle said, with the Blackphone+ tablet following in the fall.

Security vendor FireEye has released a timely warning about the scale of the mobile threat facing users with a new report claiming that over five billion downloaded Android apps are vulnerable to remote attacks.

The firm’s Out of Pocket report details analysis of seven million iOS and Android apps.

The JavaScript-Binding-Over-HTTP (JBOH) flaw may be the riskiest for those five billion vulnerable apps, it claimed.

It can allow attackers to hijack HTTP traffic to inject malicious content and links into WebView code to gain full control of the app. Almost one third (31%) of popular Android apps with over 50,000 downloads were vulnerable, the report claimed.

It’s not just insecurely coded apps that are exposing Android users to danger, the platform now accounts for 96% of all mobile malware, according to FireEye.

Malware designed to steal financial information was particularly prevalent – rising 500% in volume in the second half of 2013.

The report added:

“We found that Android malware (excluding adware and grayware) surged from roughly 240,000 unique samples in all of 2013, to more than 390,000 unique samples in the first three quarters of 2014.”

The iOS ecosystem has always been strictly regulated by Apple, meaning that historically very little in the way of malware or security flaws existed.

However, this is gradually changing, according to FireEye.

So-called "EnPublic" apps, signed with enterprise certificates and distributed using enterprise provisioning profiles, are becoming a popular way for malware writers to bypass the App Store review process.

Some 80% of them use private APIs, which Apple prohibits, for example.

“EnPublic apps can use private APIs within iOS and load user interfaces mimicking authentic Apple apps, which attackers use to attack iOS devices. Attackers can easily send victims a text message or email with a link to download an EnPublic app.”

Although FireEye only found 1,400 of these apps on the public internet, there could be many more on the way, the firm warned.

Another security risk for iOS users are new malware strains WireLurker and Pawn Storm which enterprise and ad-hoc provisioning to install malware on non-jailbroken devices.

WireLurker used trusted USB connections and enterprise provisioning to download malware onto non-jailbroken devices, with the end goal to steal money from victims.

Proofpoint has announced its plans to acquire Emerging Threats for approximately $40 million in cash and stock.

Emerging Threats uses an automated collection and analysis system, along with a team of expert threat researchers, to produce actionable threat intelligence for detecting, blocking and remediating advanced cyberattacks. Its systems gather millions of malware samples and other global threat indicators per day to develop intelligence about advanced cybercriminal malware distribution and command and control (C&C) infrastructure. This system then collects, validates, filters and prioritizes malware samples.

"Better cyberattack intelligence enables better cybersecurity," said Gary Steele, CEO at Proofpoint, in a statement. "Proofpoint's market-leading advanced threat detection and response products for email and social media security and compliance will be further enhanced by pairing them with Emerging Threats' deep research and intelligence capabilities. We believe that the combination of Proofpoint and Emerging Threats provides the most timely, actionable end-to-end attack intelligence and protection available in the industry."

As part of the acquisition, Emerging Threats' team of threat researchers, software engineers and sales personnel will join Proofpoint's team, continuing to operate from the Emerging Threats headquarters in Indianapolis.

"Emerging Threats has a proven track record of effectively detecting and responding to today's advanced cyberattacks," said Ken Gramley, Emerging Threats chief executive officer, who will become vice president of Emerging Threats for Proofpoint upon consummation of the acquisition. "Our suite of threat intelligence products delivers actionable, correlated threat intelligence necessary to security teams. We're excited to integrate with Proofpoint's solutions to bring our industry-leading advanced threat detection and remediation capabilities to an even larger market."

Samsung is integrating Unikey’s touch-to-open, keyless and cardless entry for consumers and businesses into its KNOX mobile operating system.

Powered by what it calls a smart access control cloud, UniKey's first application for residential, the Kwikset Kevo key offering, is available in the Google Play store, and will be available via KNOX Apps later this month for Android 5.0 devices. The application can be used for unlocking doors, entryways and gates without the need for a key or badge in residential, enterprise, commercial, government, institutional or multi-tenant residential environments.

When downloaded from the Google Play store or KNOX Apps, UniKey's access control cloud platform interfaces with Samsung mobile devices inside the secure KNOX container.

KNOX is Samsung’s Android variant that was developed to meet military and enterprise standards for security. It’s approved for use by the Pentagon, and contains a range of security functions. These include antivirus from Lookout, and a Customizable Secure Boot that ensures only verified and authorized software can run on the device. Also, TrustZone-based Integrity Measurement Architecture (TIMA) provides continuous integrity monitoring of the Linux kernel. When TIMA detects that the integrity of the kernel or the boot loader is violated, it takes a policy-driven action in response. One of these policy actions disables the kernel and powers down the device.

"By integrating with Samsung KNOX, UniKey is enabling the most secure access solution for businesses and consumers," said Phil Dumas, UniKey founder and president, in a statement. "In partnership with Samsung, UniKey is making it even more convenient for businesses to manage secure access to any door, gate or badge access point and giving consumers the most convenient and secure way to manage access to their home. Through our partnerships with global market leaders in their respective industries, and with diverse businesses around the world, UniKey has expanded its footprint well beyond residential and into commercial enterprise with further platform expansions in 2015 and beyond."

UniKey also recently announced integration with Nest Learning Thermostat through the Works with Nest program, to enable personalization of thermostat preferences and provide greater energy savings in smart homes and smart businesses.

5G wireless networks will support 1,000-fold gains in capacity, connections for at least 100 billion devices and a 10Gbps individual user experience capable of extremely low latency and response times. To meet the security requirements that go along with this next evolution in mobile networks, Cavium is demonstrating its single-chip OCTEON III processor, which runs a full IPsec security application at 100Gbps throughput.

By 2019, global mobile IP traffic will reach an annual run rate of 292 exabytes, up from 30 exabytes in 2014, according to Cisco’s Visual Networking Index. Global network users will generate 3 trillion Internet video minutes per month—the equivalent of 6 million years of video, 1.2 million video minutes every second, or more than two years’ worth of video every second. At the same time, secure transport throughput requirements in wireless networks are growing exponentially, creating the need for much higher performance processors with advanced security acceleration in next-generation equipment.

Cavium has worked closely with Linaro to support the new ODP initiative and has expanded support for it to the OCTEON III processor line as well as the ThunderX family of processors.

“OpenDataPlane will allow Cavium customers to run their dataplane applications on a wide range of our processors,” said Raghib Hussain, Corporate VP/GM and CTO. “The ability to write applications once and then use them on many different processors and architectures is very appealing and since it is backed by a true open standards body, customers will not be locked into legacy architectures.”

Thousands of TalkTalk customers have been potentially exposed to telephone-based fraud scams after hackers managed to access personal details via one of the telco’s contracted third parties.

The firm was forced to send its customers an email last week revealing that phone fraudsters were using the stolen information to trick customers into handing over their bank details, or downloading malware on their PCs.

“Received a call claiming to be from TalkTalk? Recently there has been an increase in the number of cases of scammers claiming to be from TalkTalk preying on our customers, and some of them were quoting their TalkTalk account number as well as their phone number.

After further investigation, we’ve become aware that some limited information we have about some of our customers could have been accessed in violation of our security procedures.”

TalkTalk was at pains to point out that no date of birth, bank or card details had been accessed, but admitted to the BBC that the number of customers affected was in the “small thousands.”

The telco claimed that it was only alerted to the situation after experiencing a rise in the number of customers complaining that they’d been targeted by vishers late last year.

It added:

“As part of our ongoing approach to security, we constantly test our systems and processes using external security specialists. We have put every possible measure in place to try and stop this from happening again.

We have reported the matter to the Information Commissioner’s Office and we're liaising with them and other official bodies because these scammers are targeting every sector.”

The third party company in question is now the subject of legal action by TalkTalk and the telco said it had worked with a specialist security firm to remediate the problems which led to the data breach.

“Everyone needs to be on their guard for unsolicited emails and phone calls. If in doubt, go the extra mile to confirm that the person contacting you is legitimate and from the company they say they are,” advised security expert Graham Cluley.

“Often the best way is to visit the company's real website, and look for a contact number there rather than trusting them to identify themselves truthfully if they call you.”

Taxi servive Uber has subpoenad GitHub in a bid to find out the identity of the person who managed to illegally access its database of drivers’ details, exposing up to 50,000 of them last year.

The firm’s managing counsel of data privacy, Katherine Tassi, admitted in a blog post on Friday that late last year it identified a “one time access” of the database, exposing driver names and license numbers.

“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access,” she added.

“We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.”

The incident occurred in May 2014 but only exposed the details of a “small percentage” of Uber’s US drivers, albeit across multiple states, Tassi claimed.

In the meantime the firm is offering affected drivers free one-year membership of Experian’s ProtectMyID alert service, and has filed a John Doe lawsuit against the person it believes to be the hacker (via The Register).

The taxi service has also filed a subpoena against developer platform GitHub to force it to reveal the IP address of anyone who visited a specific Gist post between March and September 2014.

The post is not available now, but according to the John Doe lawsuit, it contained a “unique security key” which the attacker is alleged to have used to access the Uber driver database.

This isn’t the first time privacy issues have been raised about the firm.

Its lost and found records were briefly published online last month, while in November last year reports emerged that an executive had tracked the travel records of a journalist without her permission.

That incident forced the firm to update its privacy policy to clarify that it prohibits “all employees at every level from accessing a rider or driver’s data.”

Yet at the same time separate reports emerged alleging that another exec had floated the idea of using the firm’s ‘God’s View’ tool to attack critics of the company.